Zero-day exploit hits Java – should you just turn it off?

By Kevin McCaney

Aug 27, 2012

The discovery of a zero-day vulnerability in Oracle’s Java 7 has prompted calls for users to turn off Java in their browsers until a patch is issued, something feds and other government managers might want to think about, too.

The flaw is being exploited in active, though so far limited, attacks that are originating from a server in China, according to security researcher Atif Mushtaq at FireEye, who first reported the flaw on Aug. 26.

The attacks download the Poison Ivy RAT (for Remote Access Trojan), which takes commands from a remote server. The vulnerability exists only in Java 7 (1.7) Update 0 to 6, not earlier versions, and works in all versions of Internet Explorer, Firefox and Opera, according to researchers Andre DiMino and Mila Parkour at DeepEnd Research, who also have examined the Trojan. Meanwhile, Rapid 7, which maintains the Metasploit bank of exploits for penetration testing and hacking, said it had developed an exploit that also works against Chrome.

The Metasploit exploit reportedly works against patched versions of Windows 7, as well as against IE and Firefox on Vista and XP, Chrome on XP and Firefox on Ubuntu Linux 10.04.

In developing the Federal Desktop Core Configuration for standardizing agency systems, the National Institute of Standards and Technology originally banned the use of Java because of security concerns. But in August 2008, NIST said agencies could enable Java on approved websites.

Although reports of attacks are few so far, security researchers say the potential threat is serious because of Java’s ubiquity and because Oracle issues its patches quarterly, with the next one not due until October. Unless the company issues an emergency patch, unsuspecting users could be vulnerable to drive-by attacks.

Security writer Brian Krebs is among those advocating turning Java off. He said Windows users can check to see if they’re running Java by going to Java.com and clicking the “Do I have Java?” links and Mac users can check Software Updates.

If you use websites or programs that require Java, Krebs recommended using two browsers — one with Java turned off for most web use, and one with it enables for the must-have programs.

Wed, Aug 29, 2012

If you use a Chromebook, this is a non issue.

Wed, Aug 29, 2012
Terry Schneider
Hillsborough, NC

This probably would have happen if Sun Microsystem was still in business and Java was controlled by them. Larry Ellison only care about money and not how well the product works. He had a moral commitment to keep Java viable. I had noticed many problems with Java after he brought Sun. Java needs to be taken away from Oracle and maintained by a group who cares or a replacement needs to be developed.

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.